Managing information

Observation

Access to growing amounts of customer information and new ways of using it have the potential to improve efficiency and competition, and present opportunities to empower consumers. However, evidence indicates these trends heighten privacy and data security risks.

Many firms now collect, hold and use large amounts of customer data, especially payments data. Some of these firms, including some from outside the financial sector, are seeking to use their vast data stores to gain entry into financial services. For example, Facebook is preparing to provide financial services in the form of remittances and electronic money, seeking regulatory approval in Ireland to do so.63 Google plans to expand its mobile payments and wallet products and is likewise seeking United Kingdom regulatory approval.64 Almost half (47 per cent) of bankers recently surveyed believe their biggest competitive threat is from non-financial players — supermarket entrants, payments providers and other forms of disintermediation.65

Although starting in payments, many of these firms are seeking to broaden their strategies to target the concept of a customer’s ‘financial health’. Both traditional and non-traditional firms are developing services to assist and influence consumer decisions on what to buy, and where and when to buy it. These services are designed to encompass all types of products, not only those of a financial nature. For example, services may come in the form of discounts and offers triggered by location-based technologies. Alternatively, they may be packaged as general advice on how to ‘spend smarter’.

Privacy

Information about an individual’s finances and creditworthiness forms one of the most sensitive categories of personal information.66 Financial institutions may hold details such as: account balances; repayment histories; spending patterns including products, store names and locations; tax file numbers; and evidence of income levels. Some institutions may additionally hold information on an individual’s health or genetics. In future, they may hold increasing amounts of biometric data. Firms are seeking new ways to use this information to predict the behaviour of individual customers for commercial purposes, raising questions around privacy.

Preliminary assessment

Firms are collecting and storing growing volumes and types of customer data. As they seek to harness the commercial value of the data, it increasingly raises concerns about the way in which personal information is handled and used. However, it may also present opportunities for improving consumer outcomes. The Data security and cloud technology section discusses risks related to data security.

Benefits

Most financial services firms are using data analytics to pursue personalised products.67 For consumers, this is leading to new products, enhanced product functionality and better customer service. Many consumers will also have improved access to products and services, although some may experience more difficulties with access as risk-based pricing becomes increasingly individualised. This is discussed further in the Underinsurance section of the Consumer outcomes chapter.

For firms, information analytics supports more efficient marketing and better cross-selling opportunities by enhancing their ability to predict the behaviour of individuals. Customer issues can be identified earlier, improving customer satisfaction and retention. Firms can offer consumers lower-cost self-serve options and potentially lower fees and prices. Internal processes, such as fraud and risk management, are also improved.

Risks, impediments and opportunities

However, these benefits come with heightened privacy risks. One submission identifies two main privacy-related risks: first, data might be collected and used in ways a customer might not like; and second, the data might reveal information about persons other than the consenting customer, such as their friends, family or clients.68 Another submission suggests that, given information analytics enables firms to target the most profitable customers, in some areas, such as extending credit, this may not be in the best interests of customers and may lead to financial hardship.69 Others note that some segments of the community, such as senior Australians, are particularly sensitive to privacy, safety and security issues.70

Some submissions, while acknowledging that privacy protections are important, argue that, in some areas, privacy regulations are overly restrictive and impede efficiency. For example, when assessing creditworthiness, providers lack access to some data sources, such as utility payment history and some Government databases.

Stakeholders also note the difficulties firms with transnational operations face in relation to cross-border information flows. For example, regulatory settings can impose requirements for record keeping that restrict data sharing across branches of the same financial institution located in different jurisdictions. In other cases, laws in one jurisdiction can make it difficult to meet regulatory reporting requirements in another. Institutions may be faced with a choice of complying with the requirements of one jurisdiction over another or ceasing the activity altogether.

Some stakeholders suggest considering mechanisms to provide consumers with broader access to their own data to improve decision making.71 This could be similar to the United Kingdom Government’s ‘midata’ initiative, which seeks to empower consumers by providing them with secure access to their own data.72 Another stakeholder suggests giving customers greater control through an opt-in system for use of their data. This might, for example, involve requiring prior customer consent to use their data for cross-selling or enabling a customer to instruct one firm to share their personal data with another.73 Online comparators and their use of consumer data is discussed in the Consumer outcomes chapter. Others argue for more Government data sets to be released to improve industry analysis, risk management and public policy development.74

Australia’s privacy framework

Following a 28-month inquiry by the Australian Law Reform Commission (ALRC) completed in 2008, privacy law reforms came into effect in March 2014.75 One of the review’s primary drivers was “the rapid advance in information, communication, storage, surveillance and other relevant technologies”.76 It specifically considered how personal information is used in credit reporting, direct marketing and cross-border information flows.

The resulting reforms include 13 Australian Privacy Principles covering the collection, use, disclosure and management of personal information by Government agencies and certain private sector organisations. These reforms are substantial and have only recently been implemented. They require time to take effect. Consequently, assessing their effectiveness at this point will be of limited benefit, although a future review may be appropriate.

Policy options for consultation

The Inquiry would value views on the costs, benefits and trade-offs of the following policy options or other alternatives:

Review and assess the new privacy requirements two years after implementation to consider whether the impacts appropriately balance financial system efficiency and privacy protections.

Review record-keeping and privacy requirements that impact on cross-border information flows and explore options for improving cross-border mutual regulatory recognition in these areas.

The Inquiry seeks further information on the following areas:

What options could be explored for providing consumers with more control over use of their data and/or better access to their own data in useful formats to improve decision making and consumer outcomes?

What additional Government data sets could be released to improve consumer outcomes, industry analysis and public policy development via data.gov.au, taking into account relevant privacy requirements?

Data security and cloud technology

Preliminary assessment

Growth in both the amount of data held and used by firms and in the use of cloud technology potentially increases efficiency, but concurrently intensifies operational risks related to privacy, security and control of data. Risks related to the use of information are discussed in the Privacy section.

Data security

The growing amount of data stored and used by firms can bring many benefits to consumers, businesses and Government. However, it also creates the risk of a data breach exposing large amounts of sensitive customer information, especially given the increased sophistication and frequency of cyber attacks. For example, a recent study on global threat activity reported that, worldwide, the number of data breaches had grown by 22 per cent between 2011 and 2013.77 Compounding this increase in frequency, the growth in the size of each breach resulted in the number of individuals who had their personal information78 exposed more than doubling, from 232 million to 552 million over the same period.

Many submissions recognise the importance of institutions safeguarding the customer information they hold. If Australians do not trust institutions to protect their personal information, this will impede the ability to transact and conduct business online. A recent study shows data breaches not only negatively impact Australian businesses, in terms of the direct costs of managing the consequences of the breach; they also significantly damage reputation and drive away customers.79 The study also found that data breaches are more likely to occur in retail and financial services than other sectors, and these sectors are more susceptible to high customer turnover.

Currently, where data breaches involve personal information, there are no mandatory requirements to report the incident to the Office of the Australian Information Commissioner (OAIC)80 or notify affected individuals under the Privacy Act 1988. In 2012, the ALRC recommended this be amended.81 Mandatory notifications can help individuals regain control over personal information. Being transparent about handling information can help rebuild public trust by demonstrating that an organisation takes its obligation to protect personal information seriously. Similarly, notifying the OAIC may help reinforce this, and it may also assist the OAIC in handling inquiries and managing complaints.82

Cloud technology

Cloud technology has the potential to improve the efficiency of financial service provision. For example, shifting to cloud services has reduced the Commonwealth Bank’s storage, app testing and development costs by 50 per cent — above the 40 per cent savings the bank expects from cloud migration.83 Previously, 75 per cent of the bank’s IT expenditure was on infrastructure. Cloud usage has reduced this to 26 per cent, freeing up capital for innovative developments in business logic and customer-facing technologies.84 A recently released Government report into cloud computing regulation also recognises the innovation and productivity benefits of the technology.85

Consequently, a number of submissions argue for flexibility in cloud technology regulation, particularly in any future guidelines to be developed by the Australian Prudential Regulation Authority (APRA).86 One submission notes that “because of its scale, cloud computing infrastructure is cheaper to run, more flexible to use, and can provide greater security, with the ability to update services rapidly with enhanced safeguards”.87 Submissions suggest that, to encourage the uptake of these technologies or those of other third-party providers, regulatory guidelines should take a principles-based rather than prescriptive approach.

Although cloud technology offers many benefits, its use also potentially dilutes a firm’s control over its data and systems, increasing security risks. In addition, where a cloud provider is located offshore, a regulator may have limited capacity to obtain information, investigate or take enforcement action where necessary. Stakeholders acknowledge the importance of protecting customer data and core infrastructure, and therefore the need for APRA to develop guidelines. One submission also observes that APRA should monitor the concentration risk on a system-wide basis, given the increased reliance of firms on a potentially small number of third-party providers.

From a consumer perspective, use of cloud technology also has the potential to introduce some level of confusion in relation to who is accountable to the consumer. In particular, where cloud solutions are provided by a third party, questions may arise if a consumer’s private data is handled inappropriately or financial services transactions are not administered to an appropriate standard.

Policy options for consultation

The Inquiry would value views on the costs, benefits and trade-offs of the following policy options or other alternatives:

Implement mandatory data breach notifications to affected individuals and the Australian Government agency with relevant responsibility under privacy laws.

Communicate to APRA continuing industry support for a principles-based approach to setting cloud computing requirements and the need to consider the benefits of the technology as well as the risks.

66 For example, the Privacy Act 1988 has specific provisions that deal with tax file numbers and credit-related information and the Office of the Australian Information Commissioner has a series of related fact sheets, viewed 3 June 2014.